Login session refresh is not working | AEM 6.x

Issue

In AEM when Token Refresh is enabled on the Apache Jackrabbit Oak Token Configuration OSGi configuration[1], the login token does not refresh. This issue applies to both LDAP, and SAML 2, the default Token authentication.

Cause

Login token fails to refresh either due to a misconception of how the token refresh works or if encapsulated token is enabled.

Resolution

Check if Encapsulated Token Support is enabled. At the time of writing this article (AEM v6.0-6.3), encapsulated token login mechanism did not support token refresh.

Go to the following URL and login as admin: http://aem-host:port/system/console/configMgr/com.day.crx.security.token.impl.impl.TokenAuthenticationHandler

See if Enable encapsulated token support is enabled.

If encapsulated token support is not enabled, then it is likely that token refresh is working but it does not work as expected. When users log in, then the token does not refresh unless users access the system after half of the token expiration time configured in theOak Token Configuration [1]has passed.

For example, if the expiration is set to two hours, then the user could use the system during the whole first hour. But, if they do not access the system after an hour has passed, then the token would not refresh. Then they have to log in again after two hours have passed from their initial login. However, if they log in, wait for one hour, and access the system again then their token would refresh so the session would be extended.